ColdFusion 8 FCKeditor Vulnerability

July 03, 2009
coldfusion

There have been a few stories about a vulnerability in FCKeditor that is bundled with ColdFusion 8, first on SANS and now on The Register.

The FCKeditor ColdFusion connector isn't enabled on all CF installations, I think if you installed a fresh 8.0.1 it is enabled, older versions may have had it disabled by default. Either way you need to make sure it is disabled, and remove the file manager. John Mason has put together a blog entry detailing how to do this here. If you aren't using cftextarea you might as well go ahead and delete (or move outside the web root) /CFIDE/scripts/ajax/FCKeditor/ all together.

Also if you use FCKeditor (on any version of CF) outside of cftextarea make sure you are not at risk.

I haven't had a chance yet to review the vulnerability itself, but I will do so, and post details, in the mean time just make sure your server is not vulnerable.

I would like to point out another thing that you can do to make you less susceptible to automated attacks like this, move your /CFIDE/scripts/ directory to a different URI, then specify your custom URI in the ColdFusion Administrator under Server Settings at Default ScriptSrc Directory . Eliminating defaults is key to avoiding such worms, yes you are still vulnerable, but it buys you some extra time to react to such attacks. That was one of the tips in my presentation at cf.Objective() on Hardening ColdFusion, which I still need to post the slides for.

Update: The Adobe Product Security Incident Response Team (PSIRT) has posted an official response to this issue here.

Update: Adobe has posted a hotfix for this issue.



Related Entries

This entry was:

Comments

http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat yields Network Timeout...how very useful!
I am completely camouflaged and deeply moved. ,

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?